logwatch AVCs

Paul Howarth <paul@xxxxxxxxxxxx> · Mon, 19 Mar 2007 11:57:36 +0000

FC6, on a system using LDAP auth:

type=AVC msg=audit(1174305023.309:160): avc:  denied  { create } for 
pid=5320 comm="perl" 
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
tclass=netlink_route_socket
type=SYSCALL msg=audit(1174305023.309:160): arch=40000003 syscall=102 
success=no exit=-13 a0=1 a1=bfafaf20 a2=4933dff4 a3=bfafb19d items=0 
ppid=5318 pid=5320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) comm="perl" exe="/usr/bin/perl" 
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1174305023.311:161): avc:  denied  { create } for 
pid=5320 comm="perl" 
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
tclass=unix_dgram_socket
type=SYSCALL msg=audit(1174305023.311:161): arch=40000003 syscall=102 
success=no exit=-13 a0=1 a1=bfafb2a4 a2=4933dff4 a3=14 items=0 ppid=5318 
pid=5320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) comm="perl" exe="/usr/bin/perl" 
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)

I added rules:

# Allow logwatch to send syslog messages and read the routing table
allow logwatch_t self:netlink_route_socket { r_netlink_socket_perms };
logging_send_syslog_msg(logwatch_t)

The syslog messages being sent were along the lines of:

Mar 19 11:52:33 xy01m005 perl: nss_ldap: failed to bind to LDAP server 
ldap://10.1.0.65: Can't contact LDAP server
Mar 19 11:52:33 xy01m005 perl: nss_ldap: could not search LDAP server - 
Server is unavailable
Mar 19 11:52:34 xy01m005 perl: nss_ldap: failed to bind to LDAP server 
ldap://10.1.0.65: Can't contact LDAP server
Mar 19 11:52:34 xy01m005 perl: nss_ldap: failed to bind to LDAP server 
ldap://10.1.0.65: Can't contact LDAP server
Mar 19 11:52:34 xy01m005 perl: nss_ldap: reconnecting to LDAP server 
(sleeping 4 seconds)...

So these were valid messages that I needed to see...

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list